Log in

View Full Version : An anti-attach trick.

walied
December 15th, 2011, 18:12
I need to present a new anti-attach trick that i have recently come up with.

Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such.

This is a simple demonstrating example.
http://ollytlscatch.googlecode.com/files/example1.rar ("http://ollytlscatch.googlecode.com/files/example1.rar")

2526

To make things harder, we would use dynamic TLS callbacks instead.

To implement a dynamic TLS callback, follow these 2 steps:
1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

Source code can be found here.
http://ollytlscatch.googlecode.com/files/example2.rar ("http://ollytlscatch.googlecode.com/files/example2.rar")

It works on Win XPSP3 only. You can edit the source code to include other OSes.

N.B. This trick is still in progress and i am waiting for any feedback.
Indy
December 16th, 2011, 23:50
When creating a remote thread to remove the dbgport.
walied
December 17th, 2011, 02:02
Hi Indy,

Honestly, i could not get it all. Could you plz elaborate?
Indy
December 17th, 2011, 05:55
http://wasm.ru/forum/viewtopic.php?id=31183 ("http://wasm.ru/forum/viewtopic.php?id=31183")
http://www.woodmann.com/forum/showthread.php?12460-Olly-loads-Olly-to-bypass-anti-attach-tricks-*-Clerk-trick-* ("http://www.woodmann.com/forum/showthread.php?12460-Olly-loads-Olly-to-bypass-anti-attach-tricks-*-Clerk-trick-*")
walied
December 17th, 2011, 10:24
The "load olly into olly" workaround works fine as we jump over the call to the "DbgUiIssueRemoteBreakin" function, bypassing creation of any remote threads. It is also noteworthy that some functionalities fail after applying that workaround.
Indy
December 17th, 2011, 13:40
Set the ldr notifier. Now proceed detach from it(NtRemoveProcessDebug).
Maximus
December 20th, 2011, 10:35
Code:


		xxx++; //one more thread is created in this process

		if(xxx>MAX_NUM_OF_THREADS)

		{

		    MessageBoxA(0,"A7a, Are you trying to attach a debugger to me?","A7a",0);

		    ExitProcess(100);

		}


...how can you know the number of concurrent thread you ever have? What if one of the libraries *dare* to create a thread of internal workings?
The idea is nice, but you cannot use it that simplicistic way, at least for complex applications in a (relatively) complex dll environment.
walied
December 20th, 2011, 14:37
I know counting threads is not the best option. It is here just for simplification. We can rather query the starting address (entry point) of each new thread. If the starting address is a specific function (e.g. DbgUiRemoteBreakin) or not belonging to a set of defined functions, then it is an attaching thread and process should exit.